Setting up a custom Netflow alert

I would like to setup an alerts for certain subnet if BW from that subnet exceeds a certain mbps or gbps. Is this possible?

Thanks

Find more posts tagged with

Accepted answers

All comments

stibi

Hi @JJay04 ,

This should be doable, but the alert will always be limited by node. I assume that those subnets will be passing by single node, so it should not be an issue, but I might be wrong. Anyway, here are the steps:

Navigate to NTA Settings -> IP Groups Management.
Create an IP Group with the subnet that we will use for the alert.
Navigate to the alert management page.
Search for alert "Endpoint traffic is over 5 GB in last hour" as we will use it as a template.
Duplicate this alert
Since the triggered alert will show only the node for which it was triggered, I recommend naming the alert in a way that you will immediately know for which subnet it was triggered.
Click on the next button, which will navigate you to the Trigger Condition section
Paste the following query into the bottom part of the query (the top part is not editable):
1. INNER JOIN
  (
  SELECT Flows.IPGroup.IPAddressGroupID, NodeID
  FROM Orion.Netflow.FlowsByIP AS Flows
  WHERE
  (TimeStamp >= AddMinute(-61, DateTrunc('minute', GetUtcDate())) AND TimeStamp < AddMinute(-1, DateTrunc('minute', GetUtcDate()))) AND Flows.IPGroup.Name = 'solarwinds'
  GROUP BY Flows.IPGroup.IPAddressGroupID, NodeID
  HAVING ((SUM(Bytes)) / (1024 * 1024 * 1024)) > 1
  ) AS Flows
  ON Flows.NodeID = Nodes.NodeID
In the WHERE clause you must change Flows.IPGroup.Name = 'solarwinds' with the name of your IP Address Group that you created in step 2.
Section HAVING ((SUM(Bytes)) / (1024 * 1024 * 1024)) > 1 is the main trigger condition. Meaning that the alert will trigger if that IP Address Group exceeds 1 GB of data.
The time condition is set to the past 1 hour. Feel free to adjust it based on your needs.
Finish the alert creation. There are no additional steps specific to this alert.
Alert is disabled by default, so you will need to enable it.

Hope this will work. Let me know if you will want some adjustments.

JJay04

Thanks for your help! I did not have "Endpoint traffic is over 5 GB in last hour" but had someone send me the template. Testing this out now.

JJay04

How do I need to adjust the settings if I want it to be 1536MB with in 15min?

stibi

You would need to adjust the following parts:
Replace: (TimeStamp >= AddMinute(-61, DateTrunc('minute', GetUtcDate()))
With: (TimeStamp >= AddMinute(-16, DateTrunc('minute', GetUtcDate()))

Replace: HAVING ((SUM(Bytes)) / (1024 * 1024 * 1024)) > 1
With: HAVING ((SUM(Bytes)) / (1024 * 1024) > 1536

That way, the alert will trigger when your IP Address Group will have traffic over 1536 MB in the last 15 minutes

Datlt

Hello, I read your article and followed the instructions. However, in the "trigger action" section, I want it to display which IP has exceeded the 1GB usage threshold. Is that possible?